CVE-2011-4211

Currently unrated

Key Information:

Vendor: Google
Status: App Engine Python Sdk
Vendor: CVE Published:; 30 October 2011

Summary

The FakeFile implementation in the sandbox environment in the Google App Engine Python SDK before 1.5.4 does not properly control the opening of files, which allows local users to bypass intended access restrictions and create arbitrary files via ALLOWED_MODES and ALLOWED_DIRS changes within the code parameter to _ah/admin/interactive/execute, a different vulnerability than CVE-2011-1364.

References

http://code.google.com/p/googleappengine/wiki/SdkReleaseN...

x_refsource_MISC

https://exchange.xforce.ibmcloud.com/vulnerabilities/71064

vdb-entryx_refsource_XF

http://blog.watchfire.com/files/googleappenginesdk.pdf

x_refsource_MISC

Timeline

Vulnerability published
Oct 30, 2011
Vulnerability Reserved
Oct 30, 2011

Collectors

NVD DatabaseMitre Database